Cisco has disclosed zero-day vulnerability, CVE-2025-20352, in its widely used iOS and iOS X software, confirming that it is actively exploited in nature.
The flaw exists in the subsystem of simple network management protocol (SNMP) and can allow a remote attacker to reach the execution of remote code (RCE) or to cause a condition of service denial (back) on vulnerable devices.
Vulnerability was identified for the first time during the survey of a case of support for Cisco Technical Assistance Center (TAC).
Vulnerability is rooted in a battery overflow condition (CWE-121) in the SNMP subsystem of Cisco iOS and iOS XE software. An attacker can trigger this flaw by sending an SNMP package made on an IPV4 or IPv6 network to an affected device.
The opinion, published on September 24, 2025, confirms that all versions of SNMP (V1, V2C and V3) are sensitive.
The gravity of the feat depends on the level of privilege of the attacker:
- An unpleasant but authenticated distant attacker can cause recharging of the affected device, leading to a back condition. This requires access to a reading community chain only SNMPV2C or valid SNMPV3 user identification information.
- A high -level attacker with administrative or privilege 15 of identification information may execute arbitrary code as
rootUser on iOS XE -executing devices, obtaining total control of the system.
Active exploitation and affected devices
The Cisco Product (PSIRT) confirmed Successful exploitation of this vulnerability in nature.
According to the lawyer, the attackers took advantage of the flaw after having compromised the local administrative references for the first time, demonstrating a chained attack methodology.
This highlights the critical need for strong management of identification information in parallel with the fix.
Vulnerability has an impact on a wide range of Cisco devices performing vulnerable versions of iOS and iOS XE software where SNMP is activated. The specific products mentioned include switches from the Meraki MS390 series and Cisco Catalyst 9300.
| Product | Affected versions | Fixed release |
|---|---|---|
| Cisco iOS and iOS XE software | All versions with SNMP activated before the first fixed version of the software are considered vulnerable. | Customers must use the Cisco software verifier To determine the appropriate correct version for their specific software train. |
| Meraki MS390 switches | Meraki CS 17 and earlier. | Vulnerability is addressed in the version of Cisco iOS Xe 17.15.4A software. |
| Cisco Catalyst 9300 series switches | Meraki CS 17 and earlier. | Vulnerability is addressed in the version of Cisco iOS Xe 17.15.4A software. |
Any device with activated SNMP is considered vulnerable, unless specific configurations are in place to block malware. Administrators can use show running-config Orders to determine if SNMP is active on their systems.
Cisco has published software updates to correct this vulnerability and strongly recommends that all customers go to a corrected software version to fully solve the problem. The opinion, identified as cisco-sa-snmp-x4LPhtespecifies that there is no bypass solution.
For organizations that cannot immediately apply updates, Cisco has provided an attenuation technique. Administrators can configure an SNMP view to exclude affected object IDs (OID), preventing the trigger of the vulnerable code path.
However, Cisco warns that this attenuation can disrupt network management features, such as the discovery of devices and the monitoring of hardware stocks. As a general security measure, Cisco also advises the restriction of SNMP access to trusted users only.
Follow us Google News,, LiendinAnd X For daily cybersecurity updates. Contact us to present your stories.
